dtadmin
asked on
What to do with AD published certificates when decommissioning a CA?
Decommissioning a poorly maintained Windows 2003 Enterprise Root CA and its subordinate CA in preparation for replacing it with a brand new Windows 2008 AD CS based PKI. Over the years, the old subordinate CA issued quite a few certificates.. most are expired, the rest are easily identifiable.
Prepared to follow instructions in Microsoft KB889250 to remove the CA, but there is no mention of what to do about the certificates that were published into AD. E-mail admin mentioned that Exchange complains all the time about expired certs when rebuilding the GAL.. got to thinking maybe we need to manually purge those out of the directory too.
Any advice how to carry this out, or if it's even advisable?
Prepared to follow instructions in Microsoft KB889250 to remove the CA, but there is no mention of what to do about the certificates that were published into AD. E-mail admin mentioned that Exchange complains all the time about expired certs when rebuilding the GAL.. got to thinking maybe we need to manually purge those out of the directory too.
Any advice how to carry this out, or if it's even advisable?
When you revoke all of the certificates and publish the CRL, AD should no longer display them.
If there are just a few, you can remove them from AD manually if you really want to beforehand in AD Users & Computers if you View - Advanced then pull up the user accounts and view the certs tab.
If there are just a few, you can remove them from AD manually if you really want to beforehand in AD Users & Computers if you View - Advanced then pull up the user accounts and view the certs tab.
ASKER
By what mechanism does a certificate get cleared out of the directory upon revocation? We've revoked all but a couple certificates that we know we need yet they all still appear to be published under the user accounts. I'm not sure where to start troubleshooting this.
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
hope it helps